Email, Cloud, Privacy and the ECPA

Congress passed the Electronic Communications Privacy Act (ECPA) in 1986. This federal law is comprised of three different Acts: the Wiretap Act, amending Title III of the Omnibus Crime Control and Safe Street Act of 1968, the Stored Communication Act (SCA), and the Pen Register Act.

It is now time to reform the ECPA, and this reform is on Congress’ agenda. The House of Representative Committee on the Judiciary, Subcommittee on the Constitution, Civil Rights, and Civil Liberties, heard testimonies on September 23 regarding “ECPA Reform and the Revolution in Cloud Computing.”

The Fourth Amendment of the United States Constitution guarantees the “right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures.” The Supreme Court held in Katz v. United States, that the government cannot eavesdrop on telephone communications held in a place where one has an actual (subjective) expectation of privacy that society is prepared to recognize as reasonable (J.Harlan, concurring).The Court noted that it had emphasized “over and again… that the mandate of the [Fourth] Amendment requires adherence to judicial processes, and that searches conducted outside the judicial process, without prior approval by judge or magistrate, are per se unreasonable under the Fourth Amendment subject only to a few specifically established and well-delineated exceptions…” Indeed, pursuant to the Fourth Amendment, warrants may only be issued upon probable cause, and must “particularly describe the place to be searched, and the persons or things to be seized.”

In Berger v. New York, the Supreme Court emphasized that “the need for particularity and evidence of reliability in the showing required when judicial authorization of a search is sought is especially great in the case of eavesdropping. By its very nature eavesdropping involves an intrusion on privacy that is broad in scope…”

Enacted after Katz and Berger, Title III of the Omnibus Crime Control and Safe Streets Act of 1968 (the “Wiretap Act”), as amended in 1986 by the ECPA, defines electronic communication as “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce, but does not include — (A) any wire or oral communication.”18. U.S.C. §2510(12) Electronic storage is defined as “(A) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18. U.S.C. §2510(17)

The ECPA was enacted in 1986 to set a "fair balance between the privacy expectations of American citizens and the legitimate needs of law enforcement agencies." (Senate Report No. 99-541, 99th Cong., 2d Sess. 5 (1986). At this time, only a few Americans had heard about the Internet. Storing data was expensive. In his testimony, Richard Salgado, Google’s Senior Counsel, Law Enforcement and Information Security, noted that it took $650 in 1986 to buy a 10 megabyte hard drive with room to store “about two high resolutions photos”, whereas today it will cost less than $100 to buy a 1.5 terabyte hard drive !

Data was not tucked in a cloud. A Gartner survey showed this month that cloud-computing services represents in 2010 10 percent of spending on external IT services. A Pew Research Center survey revealed in 2008 that 69% of only Americans store data online or use a web-based software application.

New technologies, new privacy challenges. In his testimony, Michael Hintze, Microsoft Associate General Counsel, argued that the ECPA, since having been enacted in to law in 1986, has failed to keep pace with technology. He took the example of the difference made by the ECPA between emails stored for less than 180 days and those stored for more than 180 days, and concluded that this distinction no longer makes any sense.

Indeed, the SCA, as codified at 18. U.S.C. §2703 (a), allows the government to require the disclosure by an electronic communication service provider of the contents of a wire or electronic communication that is in electronic storage in an electronic communications system for 180 days or less, but only if the government first obtains a federal or state court-issued warrant. If the data has been in storage for more than 180 days, the government can require the provider to disclose the data without prior notice to the subscriber or customer if it first obtains a federal or state court-issued warrant. If the government provides prior notice to the subscriber or customer, the government must still obtain (i) an administrative subpoena authorized by a Federal or State statute or a Federal or State grand jury or trial subpoena; or (ii) obtain a court order for such disclosure. 18. U.S.C. §2703 (b)

Therefore the ECPA provides more protection for emails stored for less than 180 days, than for emails stored for more than 180 days. That made sense in 1986, when storing data was extremely costly, but we are now living in a world where some of us keep emails for months, sometime years, tucked in the cloud. Should the privacy of these emails be less protected than when they were first arrived in our mailboxes?
The first version of Microsoft Exchange was released in 1996. The user was able to download emails from a server to a local machine. One could then conceive that an email which had not been downloaded after 180 days had been abandoned by the recipient, and thus had no expectation of privacy in the message. However, Hotmail, offered for the first time in 1997, stored emails in the cloud. The cloud retained the message even after its intended recipient had read it. Yet, data storing capacity was still limited in 1997, but it is no longer the case. Mr. Hintze concludes that users reasonably expect their data to be as private on day 181 as it is on day 179. It is hard to disagree with that statement.

A coalition of companies and non-profit organizations, the Digital Due Process Coalition, has also been advocating SCA reform. Members of the coalition include among others, the American Civil Liberties Union, the Center for Democracy and Technology, the Electronic Frontier Foundation, Google, Microsoft, IBM, and AT&T.

The coalition recommends the Act to be reformed so that the government could only require electronic communications providers to give it access to the non-public content of communications if producing a search warrant based on probable cause, and this “regardless of the age of the communication, the means or status of its storage or the provider’s access to or use of the content in its business operations.” (see p. 5 of Becky Burr, ECPA: PRINCIPLES FOR REFORM)